Safeguarding the Internet of Things

Being secure, vigilant, and resilient in the connected age

A defining element of the Internet of Things (IoT) is that objects are not merely smart – equipped with sensors and processing power – but also connected: able to share the information they generate. Smart, connected objects offer tremendous opportunities for value creation and capture, but can also create tremendous risks demanding new strategies for value protection. A single vulnerable device can leave an entire ecosystem open to attack, with potential disruptions ranging from individual privacy breaches to massive breakdowns of public systems.

The rise of the IoT not only invents the new ways to generate and capture value through information, but also creates a new need to protect this information-based value. It is highly effective to think about cyber risk management using the following paradigm:

Secure: In the spirit of “prevention” being worth more than a “cure,” effective risk management begins by preventing system breaches or compromises. The forms that effective prevention takes include controls of many layers, types, and approaches, because the potential attacks are quite effective at exploiting weaknesses never imagined by their creators. We lock our doors because thieves might enter through them. Similarly, we physically “harden” sensors on power plants to protect them from accidental or deliberate assaults, and install software firewalls to keep out hackers.

Vigilant: Making a system secure is not a once-and-for-all proposition. Both hardware and software degrade over time due simply to age. Worse, the nature and intensity of attacks can change in ways that render previously effective security measures obsolete. And, of course, no level of security is perfect: Best efforts still leave any system vulnerable. Consequently, security must be complemented by vigilance—monitoring to determine whether a system is still secure or has been compromised.

Resilient: When a breach occurs, limiting the damage and reestablishing normal operations are much more easily and effectively done when there are processes in place to quickly neutralize threats, prevent further spread, and recover.

This framework has proved valuable in creating effective risk management systems for IoT deployments. In this article, we will illustrate how to apply it in a newly connected age.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), and its network of member firms, and their related entities. DTTL and each member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. Please see About Deloitte to learn more about our global network of member firms.